Another rule which I think is important is the ban to log in as root from remote access. All administrative tasks that require the use of that user, will be made locally directly from the command line.

To prevent remote access, it will suffice to allow only local connections, like this:

MySQL force a bunch of default options that are not necessarily used. Here is an example of parameters to add in / etc / my.cnf, to disable the options which we do not find useful:

# Disable the timer events
event-scheduler = 0

# Disallow the use of the SQL statement ‘LOAD DATA INFILE’ which allows
# Fill a database with a file
local-infile = 0

# Disable symbolic link support
# That facilitates the storage of tables across multiple hard drives,
# But this can be very dangerous.
skip-symbolic-links

# Disable the MERGE storage engine
skip-merge

Listen

Read phonetically

Secure Network Access

Finally, we will try to ensure that the server is not accessible at the network level. To do this we will put behind a firewall or on a vlan not directly accessible. Only servers using databases should be accessed.

We can verify that the direct connection to MySQL server is blocked, with the telnet command (3306 being the default port):